Data security hinges on money, not technology, feds say

Government customers can foster information assurance by demanding it from vendors, said officials charged with overseeing the safety of the nation's critical infrastructure.

'Money talks,' said Richard H.L. Marshall, principle deputy director of the Critical Infrastructure Assurance Office. 'Put your money where your mouth is, and you're going to have good behavior. Make vendors be responsible for creating good products.'

Customer demands have begun to have an impact, said Howard A. Schmidt, vice chairman of the President's Critical Infrastructure Protection Board. A number of software and hardware providers, such as Microsoft Corp. and Sun Microsystems Inc., have decided that 'security will trump feature sets' in future products, he said.

Marshall and Schmidt were among a panel of federal and corporate experts discussing responsibility and accountability in information assurance today at the Sector5 cybersecurity conference in Washington.

The panelists, who also included Ronald Dick, director of the National Infrastructure Protection Center, and Secret Service agent Bob Weaver, who heads the New York Electronic Crimes Taskforce, agreed that security conditions should focus on prevention rather than response.

But getting the money to adequately secure systems has always been a problem. Today's discussion had a sense of d'j' vu about it, Schmidt said. Although problems have long been known, 'we're all saying the same thing two or three years later,' he said.